02-Safeethernet 12 e F

HIMA Training
SILworX safeethernet
Contents:
1
General ............................................................................................ 3
Principle, initial situation as example ............................................ 3
Interface settings (Hardware editor) .............................................. 4
Safeethernet Variables ................................................................... 6

4.1
Communication settings (safeethernet editor) ............................. 7

5.1
5.1.1
5.2
5.2.1
5.2.2
5.3
5.4
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.3
7.3.1
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6
7.4
7.5
7.6
7.7
Set link properties ................................................................................................. 9

Basic link properties ...................................................................................................... 9
Advanced link properties (since SILworX V6) ........................................................... 11
Assign variables to communication .................................................................. 12

Check (or set) fragment definitions (optional) .................................................. 13
Safeethernet diagnostic block (in logic) (System Variables) ........................... 14

Basic check safeethernet communication ........................................................ 16
Check for sporadic or historical errors ............................................................. 18
Check transmitted data....................................................................................... 19
Check safeethernet signatures .......................................................................... 20
Basics .................................................................................................................. 21
Precondition.................................................................................................................. 21
Update existing link (<V6) for safeethernet Reload (V6) ........................................ 21
Safeethernet signature (SE signature) and Dual Configuration .............................. 27
Possible changes and impact on Dual Configuration, restrictions ........................ 29
Add/delete (new) link including communication signals.................................. 30

Add/delete communication signals in existing link (Dual Configuration) ....... 31
Standard procedures ................................................................................................... 31
Standard procedure (golden rule) in detail ................................................................ 34
Standard procedure (Check list for print out!) .......................................................... 36
Guidelines and additional user information (CG and Online) ................................. 41
Accident scenarios (overview).................................................................................... 43
Accident scenarios (details)........................................................................................ 50
Change safeethernet parameters ....................................................................... 58

Special case: Communication partner is not in the same project ................... 59
Information in Version comparison ................................................................... 60
Check SE Signature in a project backup ........................................................... 63
Appendix ....................................................................................... 64
8.1
Multiple links (new with V6) ........................................................................................... 8
Safeethernet Reload ..................................................................... 21

7.1
Create links, assign interfaces ............................................................................. 7
Diagnosis....................................................................................... 14
6.1
6.2
6.3
6.4
6.5
Create Safeethernet variables .............................................................................. 6
Safeethernet principle (simplified) ..................................................................... 64
Changes......................................................................................... 67
02-Safeethernet_12_e_F.docx
SILworX
Page 1/67
by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.
HIMA Training
Page 2/67
SILworX
HIMA Training
1
General
This document was created with SILworX Version 6.48.

In case you have SILworX version 5 or lower use the step guidance version 05-1.
To be able to use all new possible functions (multible links, reload) the hardware need an operation system which
supports all functions of SILworX V6.
Minimal needed OS version
SILworX Version V6
HIMax CPU and
COM
Remote I/O CPU
6.x
-
HIMatrix
F* 01/02
CPU
COM
HIMatrix
F* 03
CPU
10.x
COM
15.x
HIMatrix
M45
CPU
10.x
COM
15.x
Table 1.1: Needed operating system
Principle, initial situation as example
For general information and hints about possible network structures please read the
communication manual.
In this manual we show the setup for a redundant communication between two HIMax
resources.
In our example the Local Resource is called PES10, the Target Resource is called
PES20
PES10 has System ID = 10
PES20 has System ID = 20
Standard settings are finished (see First Step Manual)
Fig 2.1
SILworX
Page 3/67
HIMA Training
3
Interface settings (Hardware editor)
Recommendation for IP addresses:

By principle every IP address is possible.
In order to meet a simple and understandable addressing principle and to avoid network
problems we recommend as follows:
-
For redundant networks use different network addresses in module within a system,
determined by an according Subnet mask.
Use the System ID as Host address for easy orientation
Example:
Subnet Mask: 255.255.255.0 for both CPUs
PES10 (System ID=10), CPU on slot 3: IP address = 192.168.1.10
So 1 and 2 identifies the two redundant networks, the last number 10 (Host address) is
identical to the System ID.
Open Hardware Editor of PES10:
Fig 3.1: Hardware overview
Page 4/67
SILworX
HIMA Training
Set IP address of CPUs:

The parameter Code generation must be in accordance to the loaded operating system in
the hardware.
Fig 3.2: Interface setting for CPU in slot 3
Fig 3.3: Interface settings for CPU in slot 4
Set IP addresses of PES20 accordingly:

SILworX
Page 5/67
HIMA Training
4
4.1
Safeethernet Variables
Create Safeethernet variables
Safeethernet variables must be created on a common level. In our case it is the

configuration, but it could be also the project level!
Any data type is possible, even arrays or structured variables.
Fig 4.1: Variable defenition
Page 6/67
SILworX
HIMA Training
5
Communication settings (safeethernet editor)
Edit safeethernet in the Resource.

(Doesnt matter where you start, the settings in the partner Resource are automatically
matched)
5.1
Create links, assign interfaces
Drag the partner Resource into the upper table in order to create a communication link
between this Resource and the partner Resource.
Fig 5.1: Create a safeethernet link
Enter a name for the link:
Fig 5.2: naming a link
Result:
Left
CPU
local
Right CPU
local
Left
CPU
target
Right CPU
target
Fig 5.3: Interface overview
SILworX
Page 7/67
HIMA Training
Check the IP addresses and set properly if required.

Therefore select the available IP addresses out of the drop down menu.
The IP addresses of the PES are set in the Hardware editor as a property of CPU and COM
modules. See chapter 3 .
Fig 5.4: Eventual disconnection of the second line of a link
If no redundancy existing set None for the second channel.

5.1.1
Multiple links (new with V6)
The transport capacity per link and direction is limited to 1100 Byte.
Please note: 1 Bool = 1 Byte
1 Word = 2 Byte
1 Real = 4 Byte
Drag the same communication partner again into the table in order to create another link:
Fig 5.5: Creating a second link to the same communication partner
Result:
Fig 5.6: Link list
Page 8/67
SILworX
HIMA Training
5.2
Set link properties
5.2.1
Basic link properties
For every link you can set several parameters in order to adjust the link properties with
respect to the physical environment and expected time behavior.
For details refer to the communication manual.
Fig 5.7: Linkparameters
Recommendations for the most important settings:
Profile: Fast&Noisy (switched network, 100/1000Mbit), matches 98% of cases!
Receive Timeout (Rcv TMO) 4 x Delay + 5 x max. cycle time

Delay: Delay on the transmission path, e.g. due to switches or satellite.
For the calculation of max. cycle time weve two options:
In the most conservative calculation the max. cycle time = the greater Watchdog time
of both communication partners
(example: PES10 with Watchdog = 100ms, PES20 with Watchdog = 200ms, no relevant
delays,
=> Receive Timeout = 5 x 200ms = 1000ms)
or optimized since version 3 (Silworx and Firmware):
Set in the properties of the Resource a value for Target Cycle Time and the Target
Cycle Time to dynamic-tolerant or (if periodic behavior is needed) fixed-tolerant. This
means only during Reload or synchronization of a CPU the HIMax does exceed the set
Target Cycle Time eventually only one time. Normally the cycle time remains less the
Target Cycle Time.
Watch the cycle time statistic for some time. If the indicated Maximum is quite stable
you can use the Target Cycle Time value for calculating the max. Cycle Time in the
formula.
This normally allows using smaller values then the Watchdog Time, anyway you should
set the Target Cycle Time to be sufficient for synchronizing a CPU (see Safety Manual).
SILworX
Page 9/67
HIMA Training
Response Time (Rsp t) Receive Timeout/2
Behavior on Connection Loss
Fig 5.8: Behavior on connection lost
For safety related links the setting must be Use Initial Value or a calculated time.
This parameter is relevant for safety! Please see also the Safety Manual
Rest of parameters is automatically calculated based on the selected Profile.
For a better understanding see also chapter 8.1
Please note:
A Receive Timeout of (e.g.) 5 seconds means also after disconnect it takes up to 5
seconds to reestablish the communication!
Code Generation
This parameter is new with version 6 and appears at the very right end of the table:
The default value might not match to the system. So it is needed to check this parameter.
Fig 5.9: Codegeneration parameter
For in V6 newly generated links the (default) value is automatically set to V6 and higher.
This setting is basically a preparation for safeethernet Reload and should only be set if
the communication partners support the new features (firmware compatible to V6, see
table Table 1.1 needed operating system).
For converted (old) projects the parameter is set to Up to V6
Fig 5.10: Codegeneration parameter
Do not change unless both communication partners are updated to a firmware

compatible to SILworX V6!
Page 10/67
SILworX
HIMA Training
5.2.2
Advanced link properties (since SILworX V6)
Safeethernet link ID safeethernet address
Fig 5.11: Link ID
The link ID is generated automatically but can be modified also.

The ID is part of the safeethernet address, for example used in online displays or
messages:
Example: Control Panel
1
2
3
Target System ID
Rack ID (e.g. for RIOs)
Link ID
Fig 5.12: Multible link list
Timing Master
Fig 5.13: Timing master
As default the partner with the lower System ID is set as Timing Master.
If modifying time settings only this partner must be reloaded, the other partner (called:
Timing Slave) automatically accepts the new time settings.
SILworX
Page 11/67
HIMA Training
5.3
Assign variables to communication
Edit safeethernet in one of the communication partners.

Click Edit in the context menu of the link or double-click the line number:
or
Fig 5.14: Open the link editor
Hint:
If not working and the message following appears in the logbook, safe the safeethernet editor
and try again!
Fig 5.15: Error message
Assign the variables from the lower list into the upper lists. Regard the communication
direction!
(Multi selection of variables is possible!)
Fig 5.16: Assignment of the communication variables
Variables of various data types can be mixed and get automatically addresses according a
certain principle. The internal addresses are not important for the user and therefore
invisible.
Page 12/67
SILworX
HIMA Training
5.4
Check (or set) fragment definitions (optional)
Default: One fragment with priority 1. Recommendation: Keep default!

Priority 1 means, the telegram is transmitted each cycle, what is normal!
Only change the value if the frequency must be reduced, e.g. if facing load problems.
Consider the consequences: Slower update rate, impact on timing parameters etc.
SILworX
Page 13/67
HIMA Training
6
6.1
Diagnosis
Safeethernet diagnostic block (in logic) (System Variables)
Therefore create in both resources in the Global Variables the according variables.
Fig 6.1: Defining the global variablas for the system variables
Edit the link again.

Every safeethernet link provides System Variables.
The System Variables used by partner PES_10 (our example!) appear in tab PES_10.
The System Variables used by partner PES_20 (our example!) appear in tab PES_20.
Assign Global Variables to some of the System Variables:
Fig 6.2: Assigning variables to the system variables
The meaning of all System Variables is explained in the Communication manual chapter 4.4.
Remark:
Even not assigned System Variables can be monitored Online in the Force Editor!
For the logic we provide a FB using the System Variables for diagnosis.
This FB is available from HIMA customer support or training department.
Page 14/67
SILworX
HIMA Training
Fig 6.3: Diagnose function block
The most important information is the status of redundancy. You can transmit any diagnosis
information into a target scada or DCS system.
SILworX
Page 15/67
HIMA Training
6.2
Basic check safeethernet communication
For details please see the communication manual. In chapter safeethernet you find the
meaning of all diagnostic data and also hints how to check a safeethernet communication
Check the status of safeethernet links in the Control Panel.
In example we see 4 links, including OPC Server.
Fig 6.4: Ckecking the connection state
Check State, must be Connected.

Check timing and enhanced link information:
First reset the safeethernet statistic. Right mouse click to the word safeethernet in the CP:
Fig 6.5: Resetting the safeethernet statistic
Select a link in order to see detailed link information:
Fig 6.6: Checking the link individual datas
Check Rsp t (Response Time) statistic and compare it to the set values for Receive
Timeout and Resend Timeout. See chapter 5.2 set link properties and 8.1 in the appendix
Check Errors, Rsnd (Resends), Succeeded (No. of Reconnections) and Early (Queue
Usage), if communication is working well these counters should not count up and normally
after a reset of statistic remain on zero.
Page 16/67
SILworX
HIMA Training
Check (if existing) the redundant channels:

Both channels are used in parallel and transmitting the same telegrams. Of course always
one of them is the first. This fact and even the time delays between are visible in the
diagnostic.
Fig 6.7: Channel quality
Coding of the quality (Extraction of communication, manual chapter safeethernet)
Fig 6.8: Bitmeanibgs of the channel quality
The normal indication is 15 or 7, randomly changing between the channels.

15 means: Bit 0, 1, 2 and 3 are set channel connected and providing the first messages.
7 means: Bit 0, 1 and 2 are set channel connected but not the first.
Example for an error, channel 2 is not working:
Fig 6.9: Not connected second channel
Check Channel state and delays:
Fig 6.10: Channel state
Fig 6.11: Bitmeanibgs of the channel state
In example Channel 1 is OK, the redundant Channel (2) is not OK!

SILworX
Page 17/67
HIMA Training
6.3
Check for sporadic or historical errors
First reset in CP the system error statistics:
Fig 6.12: Resetting the error and warning statistic
Check counter Communication Errors:
Fig 6.13: Checking the communication errors
Check counter Communication Warnings
Fig 6.14: Checking the communication warnings
Page 18/67
SILworX
HIMA Training
Safeethernet can be performed by the CPU or COM modules.

Check the diagnostic buffer of both redundant modules, used in reality for safeethernet (see
the settings in the safeethernet editor, chapter 5.1.
1
2
3
4
HH network stands for HIMA-HIMA network, another word for safeethernet

Node-id= System_ID-Rack_ID-Link_ID of the communication partner
MAC-Address of the communication partner
IP-Address of the communication partner
Fig 6.15: Checking the module diagnose of a CPU or COM module
6.4
Check transmitted data
Start Force Editor and check the Global Variables (Global forcing):
In Register Inputs you find the safeethernet data, which this PES receives from a certain
communication partner:
Fig 6.16: Checking the transmitted data in the Force Editor tab Inputs
SILworX
Page 19/67
HIMA Training
6.5
Check safeethernet signatures
Check and compare the safeethernet signatures in the CPs.

There must be always a matching couple of signatures.
For detailed explanation see chapter 7.1.3
If no matching signatures found the link is down and safeethernet is not working at all!
Remedy:
Start Code generation for both communication partners and load both PES.
Use safeethernet Reload, if possible. See chapter 7
:
Fig 6.17: checking the signatures of all links between the two partners
Page 20/67
SILworX
HIMA Training
7
Safeethernet Reload
7.1
Basics
7.1.1
Precondition
The precondition for loading a new or changed safeethernet link by reload is to have an
operating system compatible to SILworX V6 or higher.
See therefor the Table 1.1 Needed operating system
How to load an operating system is described in following documents or the system manuals:
HIMax Diagnostic
HIMatrix Specials
7.1.2
Update existing link (<V6) for safeethernet Reload (V6)
Please note: All below mentioned preparations/updates will lead to a new Code
Version!
1. Convert project to SILworx V6 (or higher)
2. Update firmware of CPU and, if used for safeethernet links, also COM
Follow the firmware update procedures (System Manual, Release Notes)
Consider the consequences of stopping a module.
3. Prepare CPU, COM and the links for safeethernet Reload:
Settings required for safeethernet Reload:
Link properties:
The parameter Codegen must be set to V6 and higher
The parameter is in the table on the very right:
Fig 7.1: Changing the link property
SILworX
Page 21/67
HIMA Training
HW Editor::
CPU properties: Code Generation Up to V6 V6 and higher
This parameter does not exist in a module which is new in version 6 or higher.
Fig 7.2: Changing the safeethernet reload property in the CPU
COM properties: Code Generation Up to V6 V6 and higher
Fig 7.3: Changing the safeethernet reload property in the COM
Background:
The setting is related to the new feature: Timing Master.
The setting Timing Master allows to change time settings (e.g. receive timeout) only
at the Timing Master Resource. The Timing Slave Resource accepts the new time
settings without another Reload. If Code Generation is set to V6 and higher the
Code Version of Resource Timing Slave does not change after next Code
Generation.
In older versions the setting Receive Timeout was also used for the timeout of HH
ping command. With the setting V6 and higher the timeout for HH ping has a fixed
value.
Now the CPU or COM does not block the Reload if Receive Timeout is changed.
The HH ping timeout is now set fix on 2 seconds.
Note:
Depending on existing settings this change sometimes requires a Cold Reload
of the COM module.
4. Generate the Code with reload option for both partners
During Code Generation appropriate messages appear:
Fig 7.4: Code Generation Messages
5. Reload both partners. Dont do a download if you have a reload code in this situation.
6. Repeat the points 4 and 5 a second time.
See update procedure next page.
Page 22/67
SILworX
HIMA Training
Update procedure from link property up to V6 to V6 and higher

(see also chapter 7.3)
Editor
Set V6
+ del DC
-
Partner A
Action
CG
Reload
-
SIG N
E2<V6
E2<V6
E2<V6
E2<V6
E2<V6
SIG N+1
E2<V6
E3gen V6
E3genV6
E3loadV6
E3V6
Partner B
Action
CG
Reload
SIG N
E2<V6
E2<V6
E2<V6
E2<V6
E2<V6
SIG N+1
E2<V6
E2<V6
E3gen V6
E3genV6
E3loadV6
Reaction
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
CG
Reload
-
E3gen V6
E3genV6
E3loadV6
E3V6
E3V6
E3V6
E3V6
E3V6
CG
Reload
E2<V6
E3gen V6
E3genV6
E3loadV6
E3V6
E3V6
E3V6
E3V6
Link on E3
Link on E3
Link on E3
Link on E3
Table 7.1: Action-Sequence for changing the link properties per Reload
DC: Dual Configuration, in the safeethernet configuration are 2 signature versions
SILworX
Page 23/67
HIMA Training
Information in Version Comparison if changing from up to V5 to V6 and higher

Example configuration (PES_10, System-ID 10):
- CPU in Rack 0 Slot 3
- CPU in Rack 0 Slot 4
- COM in Rack 0 Slot 5
- Safeethernet link from PES_10 to OPC Server-A (System-ID 101)
- Safeethernet link from PES_10 to OPC Server-B (System-ID 102)
- Safeethernet link from PES_10 to PES_20 (System-ID 20)
-
Suppose all above mentioned preparations had been carried out and now we compare the
old configuration (up to V5) with the new configuration (V6 and higher).
In CPU and COM the hh.config file is indicated because the property Code Generation has
changed to V6 and higher
Ke.config shows the newly generated System Variable Versions-Zustand.
Thats normal if the link property has changed to V6 and higher.
No further meaning.
Safety Advice
Ke.config must not show any further indications, such as changed
offsets for safeethernet variables.
Otherwise contact HIMA support!
Page 24/67
SILworX
HIMA Training
cpcsip.config:
Configuration File Version changes automatically when Extended Configuration has

changed to On, what means the link property V6 and higher.
Since Version 6 the new feature Timing Master exists (see above, same chapter).
If the link property V6 and higher is set, SILworX selects one of the two communication
partners as a Timing-Master. The other partner is getting Timing-Slave.
The selection is random from a user point of view!
In example the Timing-Master was selected on OPC-Server-A, on OPC-Server-B and on
PES_10. Point of view is PES_10:
For the Timing-Slave (thats where the Remote Partner is Timing-Master) all relevant
time settings are set to maximum value, what means deactivated, because the really active
time settings are now only set by Timing-Master.
SILworX
Page 25/67
HIMA Training
For the Timing-Master Max.Receive Timeout and Max. Resend Timeout change to
maximum value. These parameters are normally invisible for the user.
The change is due to system internal reasons and not relevant.
Page 26/67
SILworX
HIMA Training
7.1.3
Safeethernet signature (SE signature) and Dual Configuration
Safeethernet is a safety communication in SIL3 quality.
One of the safety features is the safeethernet signature (SE signature).
Actually the SE signature is a CRC code, describing e.g. the data layout of transmitted data.
The SE signatures are created during the Code Generation and get part of the loaded
(Reload or Download) configuration.
Safeethernet communication between two communication partners is only working if both
partners have identical SE signatures.
In example below we assume theres only one SE signature existing (SILworX V2 V5)
Partner A:
SE signature: E2
Link valid - working
Partner B:
SE signature: E2
Imagine a safeethernet modification and Download of Partner A:
Partner A:
SE signature: E3
Link invalid not working
Partner B:
SE signature: E2
Please note:
Invalid, not working link, means all transmitted variables are reset to initial values.
Consider the consequences for the process.
The challenge:
In order to achieve above mentioned conditions we must reach identical SE signatures within
both partners after carrying out a safeethernet modification.
We, as human, can execute the Reload only one by one!
Consequently for the meantime between loading both partners the system must be able to
deal with two different SE signatures.
As long the two partners find an identical SE signature the link remains valid.
Its the challenge to ensure this condition all the way during the safeethernet Reload
procedure!
SILworX
Page 27/67
HIMA Training
The solution (SILworX V6):

After safeethernet modification and Reload of Partner A:
Partner A
Link status
SE Signature N
E2
Link still active on E2
SE Signature N+1
E3
Partner B
E2
E2
After Reload of Partner B:
SE Signature N
SE Signature N+1
Partner A
E2
E3
Link status
Link now active on E3
Partner B
E2
E3
Table 7.2:
Both partners have now a Dual Configuration
Basic rules generating safeethernet signatures:

Several CG without Reload:
Editor
Partner A
Action
SIG N
E2
SE Mod.1
CG
E2
SE Mod.2
CG
E2
SE Mod.2 undo CG
E2
E2
No SE Mod.
CG
E3
Reaction
SIG N+1
E2
E3gen
E4gen
E3gen
E3
E3
Dual Configuration generated

New Dual Configuration generated
Old Dual Configuration generated
Dual Configuration deleted
Table 7.3
Several CG with Reload

Editor
SE Mod.2 undo
-
Partner A
Action
CG
Reload
CG
Reload
CG
Reload
SIG N
E2
E2
E2
E3
E3
E4
E4
SIG N+1
E2
E3gen
E3load
E4gen
E4load
E3gen
E3load
E4
E3
No SE Mod.
CG
Reload
E3gen
E3load
E3
E3
SE Mod.1
SE Mod.2
Reaction
E2 E3 possible if Partner updated

E3 E4 possible if Partner updated
E4 E3 can leads to link interruption
if E4 was never activated
Link comes back again (if disconnected
before)
Dual Configuration deleted
Table 7.4
Consequence:
As long only Code Generations are executed no critical situations can occur we can
still undo.
But once the first partner is loaded theres no way back! Now we must execute the full
sequence properly and load also the second partner!
Page 28/67
SILworX
HIMA Training
7.1.4
Possible changes and impact on Dual Configuration, restrictions
Definition:
Dual Configuration means theres a new configuration with new safeethernet data existing
and also an old PreReload configuration.
Changes creating Dual Configuration, normal Reload possible:
Add/delete/rename safeethernet GV
Add/delete/rename XOPC (DA) GV
Add/delete/rename Events (Name,ID,Severity)
Change Timing Master
Change Event priority
Change link ID
Changes not creating Dual Configuration, normal Reload possible:
Add/delete communication partner
Add/delete link for existing partner
Change timing parameters
Change limits for scalar Events
Changes not creating Dual Configuration, Reload possible - but with link interruption
Change interface (e.g from CPU to COM) COM requires Cold Reload!
Non reloadable changes:
Parameter: Behavior on connection loss
Parameter: Profiles
HIMatrix Remote IO (RIO) connections (neither data nor settings)
SILworX
Page 29/67
HIMA Training
7.2
Add/delete (new) link including communication signals
This option only exists for PES<>PES communication, not for PES<>XOPC!
HIMax (>=BS V6) and HIMatrix F*03 (>=BS V10) support up to 64 (redundant) links.
Each link transmits 1100 Byte per direction.
Create new link and enter a link name:
Fig 7.5
Enter a unique link ID (in example it would be 4).

Execute (Reload) Code Generation for both partners and Reload both partners.
The sequence of Reloads is not important!
Advantages:
No existing link is touched no risk!
No Dual Configuration created.
No specific procedure required.
(Compare the procedures in chapter 7.3)
Disadvantages:
More links lead to more complexity.
More links increase communication load (Com.Time Slice, cycle time)
Page 30/67
SILworX
HIMA Training
7.3
Add/delete communication signals in existing link (Dual Configuration)
This method is optional for PES<>PES communication (see chapter 7.2 Add/delete
(new) link including communication signals) but the only option for PES<>XOPC
communication.
7.3.1
Standard procedures
Color legend:
Highlighted: Change, new activity/status in current step
Pale:
Planed but not executed action
E2
color for E2 signature
E3
E4
E3gen
new activity: E3 generated by CG, old signature is still in PES (not displayed)
E3load
new activity: E3 loaded during Reload
E2, E3, E4 are placeholders for safeethernet signatures, in reality its a hex-code:
Fig 7.6: SE-Signatures N and N+1
7.3.1.1
Standard procedure PES<>PES communication golden rule
Editor
Partner A
Action
CG
Reload
-
SE Mod.
-
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E3gen
E3gen
E3load
E3
Partner B
Action
CG
Reload
Reaction
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E2
E3gen
E3gen
E3load
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
Table 7.5: Standard procedure
7.3.1.2
Standard procedure golden rule + deleting Dual Configuration (DC)
Editor
Partner A
Action
CG
Reload
-
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E3gen
E3gen
E3load
E3
Partner B
Action
CG
Reload
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E2
E3gen
E3gen
E3load
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
CG
Reload
-
E3gen
E3gen
E3load
E3
E3
E3
E3
E3
CG
Reload
E2
E3gen
E3gen
E3load
E3
E3
E3
E3
Link on E3
Link on E3
Link on E3
Link on E3
SE Mod.
+ del DC
-
Reaction
Table 7.6: Golden rule inclusive deleting the Dual Configuration
Details and explanation see chapter 7.3.2!

SILworX
Page 31/67
HIMA Training
7.3.1.3
Standard procedure X-OPC (DA) communication
Editor
OPC DA/AE
-
Partner A (PES)
Action
SIG N
E2
CG
E2
E2
Reload E2
E2
SIG N+1
E2
E3gen
E3gen
E3load
E3
Partner B (X-OPC)
Action
SIG N
E2
E2
CG
E3gen E2ld
E3gen E2ld
Download E3load
Reaction
SIG N+1
E2
E2
E3gen E2ld
E3gen E2ld
E3load
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
Table 7.7
Recommendation: Now delete Dual Configuration for the PES, see chapter 7.3.1.2
X-OPC does not support Dual Configuration and requires Download!
We recommend the operating sequence: First PES and second X-OPC.
If executing the sequence the other way around, first X-OPC and second PES, the downtime
of the link is much longer (the link goes down immediately after loading the X-OPC) and
during Reload of the PES the following message appears:
Fig 7.7
Normally the link is down anyway and its correct to Resume Reload
Hint:
If two redundant X-OPC server existing its possible to run the update one by one and keep
at any time one X-OPC active.
After updating of first X-OPC server this server will immediately jump to the new
configuration (in our example E3) and the second X-OPC server still remains on the old
configuration (in our example E2)
Page 32/67
SILworX
HIMA Training
7.3.1.4
Standard procedure: Undo SE modification
Editor
Partner A
Action
CG
Reload
-
SIG N
E2
E2
E2
E2
E2
CG
Reload
-
E3
E3
E3
E3
SE Mod.
Undo
SE Mod.
-
SIG N+1
E2
E3gen
E3gen
E3load
E3
Partner B
Action
CG
Reload
Reaction
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E2
E3gen
E3gen
E3load
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
E2gen
E2gen
E2load
E2
CG
Reload
E2
E3
E3
E3
E3
E2gen
E2gen
E2load
Link on E3
Link on E3
Link on E3
Link on E2
Table 7.8
Recommendation: Now delete Dual Configuration, see chapter 7.3.1.2
SILworX
Page 33/67
HIMA Training
7.3.2
Standard procedure (golden rule) in detail
Every modification of safeethernet data or safeethernet properties requires basically a

Code Generation and Reload for both communication partners.
Its essential for success to follow the procedure consequently!
Phases 1 to 5 must be executed for every safeethernet modification!
Do not interrupt the procedure, do nothing else between!
Code Generation
(Reload option)
Partner A
Safeethernet
Modification
New SE Signature
E3 created
Reload
Partner A
Code Generation
(Reload option)
Partner B
New SE Signature
E3 created
New SE Signature
E3 loaded
Link active on E2
Reload
Partner B
New SE Signature
E3 loaded
Link active on E3
Fig 7.8: Standard procedure for safeethernet change
Until Phase 4 still the old safeethernet configuration E2 is working.

After the Reload in Phase 5 is successfully finished the new safeethernet configuration E3 is
executed!
Page 34/67
SILworX
HIMA Training
Delete Dual Configuration

Most safeethernet modifications lead to a Dual Configuration
Then both communication partners still know the old configuration E2 and the new
configuration E3
The Dual Configuration is part of the configuration files and therefore affects the master CRC
(Codeversion).
The Dual Configuration disappears again after a next Code Generation without any
safeethernet modifications.
HIMA recommends to cleanup the Dual Configuration (if any existing) always.
Dont do any
modifications!
Code Generation
(Reload option)
Partner A
Dual Configuration
deleted
Master CRC changes
Reload
Partner A
Code Generation
(Reload option)
Partner B
Dual Configuration
deleted
Master CRC changes
Dual Configuration
in PES deleted
Reload
Partner B
Dual Configuration
in PES deleted
Fig 7.9: Additional activity for deleting the dual configuration
Remark:
Phases 6 to 9 are not mandatory but recommended.
Otherwise the master CRC may change after a Code Generation unexpectedly.
Then use the tool Version Comparison and see the details.
SILworX
Page 35/67
HIMA Training
7.3.3
Standard procedure (Check list for print out!)
Project
Name:
Configuration
Name:
Link details (name, no.)
Checklist can be used for all safeethernet Reloads!

- If Partner B is X-OPC: No Reload possible Replace Reload by Download
- If Partner B is X-OPC: No Dual Configuration Skip Phase 3 for Partner B
(e.g. enter Done in all lines)
- If safeethernet modification doesnt create a Dual Configuration (e.g. new link, new
partner, time setting etc.) Skip Phase 3 for both Partners
(e.g. enter Done in all lines)
Phase 1: Check correct project basis and Reloadability

This step must be executed only if therere any doubts whether the present project is really
the correct basis for the planned Reload or if its not sure whether Reload is actually working
(correct time settings, Reload allowed etc.)
If Reload already worked several times before (with present project) skip phase 1 (e.g. enter
Done in all lines)
SEQ Action on
Project, Editor
Partner A
Name:
Partner B
Name:
1.1
Check link
status online:
Check link
status online:
1.2
Date/Time
Done
Project
archive
1.3
1.4
CG
(Reload option)
Note CRC (*1):
1.5
CG
(Reload option)
Note CRC (*1):
1.6
1.7
Execute Reload
1.8
Execute Reload
(*1) No CRC change expected!

Page 36/67
SILworX
HIMA Training
Phase 2: Carry out planned safeethernet modification and Reload

Most mandatory step!
SEQ
Action on
Project, Editor
2.1
2.2
2.3
2.4
2.5
2.6
Partner A
Name:
Partner B
Name:
Check link
status online:
Check link
status online:
CG
(Reload option)
Check CG
warnings
expected: (*1)
Note CRC:
CG
(Reload option)
Check CG
warnings
expected: (*3)
Note CRC:
2.8
2.9
2.10
Execute Reload
2.11
Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link
status online:
2.13
Done
Project
archive
SE
modification
2.7
2.12
Date/Time
Check link
status online:
SILworX
Page 37/67
HIMA Training
SEQ
Action on
Project, Editor
Partner A
Name:
Partner B
Name:
Date/Time
2.14
Execute Reload
2.15
Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link
status online:
2.16
2.17
Check link
status online:
Done
Fig 7.10: Checklist for the safeethernet change
(*1) examples!
If Dual Configuration generated:
Fig 7.11
Otherwise no warnings expected.

(*2) example!
Fig 7.12
(*3) example!
Fig 7.13
Page 38/67
SILworX
HIMA Training
Phase 3: Delete Dual Configuration (if existing)

This step must be executed if a stable and explainable Code Version (CRC) is always
required.
Skip this step if Code Version (CRC) change is not relevant at all!
Skip this step if the executed safeethernet modification doesnt even create a Dual
Configuration (e.g. new link, new partner, time setting etc.)
(Skip enter Done in all lines)
SEQ Action on
Project, Editor
Partner A
Name:
3.1
CG
(Reload option)
Check CG
warnings
expected: (*4)
3.2
3.3
Date/Time
CG
(Reload option)
Check CG
warnings
expected: (*5)
3.5
3.6
Note CRC:
3.7
Execute Reload
expected:
3.8
Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
3.10
Execute Reload
expected:
3.11
Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link status
online:
expected: (*6)
3.12
3.13
Done
Note CRC:
3.4
3.9
Partner B
Name:
Check link status

online:
expected: (*6)
Table 7.9: Checklist for deleting the dual configuration
SILworX
Page 39/67
HIMA Training
(*4) example!
Fig 7.14
(*5) example!
Fig 7.15
(*6) example!
Fig 7.16
Page 40/67
SILworX
HIMA Training
7.3.4
Guidelines and additional user information (CG and Online)
Examples show a communication between Resource PES 10 and OPC Server.

The chapter is related to chapter 7.3.2
Provided info after phase 2 (Code Generation PES 10):

Code Generator (PES 10):
Please watch the warnings from the Code Generator (Example!):
Fig 7.17
The Code Generator is watching whether the newly created Dual Configuration includes a
signature matching to the communication partner (in our example Signature E2 )
Online (CP PES 10):
Example!
Fig 7.18
Version Comparison (PES 10):
Fig 7.19
Signature E2
last loaded
Signature E3
prepared for Reload
SILworX
Page 41/67
HIMA Training
Provided info after phase 4 (Reload PES 10):

Online (CP PES 10):
Fig 7.20
Signature N: (in our example E2) is still there and active.

Signature N+1(in our example E3 is already prepared and waiting for the update of
communication partner:
Reload status in CP: updated
Com LED on CPU shows Warning
Online (CP PES 20):
Fig 7.21
The communication partner realizes the new Signature (E3), already available for PES 10,
and indicates the
Reload status: outdated
Com LED on CPU shows Warning
After loading the partner the Reload status is back on up to date!
Provided info after deleting the Dual Configuration

In chapter 7.3.1 we recommend to delete the Dual Configuration because of changing the
master CRC.
Info during Code Generation:
Example!
Fig 7.22
(Example! PES10<>PES20_1 is the name of a link, PES_10 the name of the partner)
Page 42/67
SILworX
HIMA Training
7.3.5
Accident scenarios (overview)
Accident 1: Deleting Dual Configuration before loading the partner:

Editor
Partner A
Action
CG
Reload
-
SIG N
E2
E2
E2
SIG N+1
E2
E3gen
E3load
Partner B
Action
CG
Reload
Reaction
SIG N
E2
E2
E2
SIG N+1
E2
E2
E2
SE Mod.
- (1)
CG
E3gen E2ld E3
E2
E2
Reload
E3load
E3
E2
E2
(1) Means no SE modification but perhaps other (e.g. logic) modification
Link on E2
Link on E2
Link on E2
Link on E2
Link down
Tabelle 7.1
Problem:
The Dual Configuration in Partner A is deleted. Signature E2 disappears in Partner A, but is
still needed by Partner B. Consequence: The link breaks down!
The mistake is not loading Partner B immediately after Reload of Partner A.
The sequence of Code Generation is actually not important only the sequence of Reloads!
The Code Generator and the System (Firmware) will announce proper warnings, hence the
accident is avoidable!
If respecting the CG warnings and/or firmware warnings theres a way out!
For details see chapter 7.3.6.1 Dual Configuration deleted too early (Accident 1)
SILworX
Page 43/67
HIMA Training
Accident 2: Yet another SE modification and Reload Partner A again:

Editor
SE Mod1
SE Mod2
-
Partner A
Action
SIG N
E2
CG
E2
Reload E2
CG
Reload
E3gen E2ld
E3load
SIG N+1
E2
E3gen
E3load
E4gen
E4load
Partner B
Action
CG
Reload
-
Reaction
SIG N
E2
E2
E2
SIG N+1
E2
E2
E2
Link on E2
Link on E2
Link on E2
E2
E2
E2
E2
Link on E2
Link down
Tabelle 7.2
Problem:
Partner A creates yet another signature E4 and deletes signature E2. E2 is replaced by E3
but E3 is not yet available by Partner B. Consequence: The link breaks down!
The Code Generator and the System (Firmware) will announce proper warnings, hence the
accident is avoidable!
If respecting the CG warnings and/or firmware warnings theres a way out!
Solution:
As long Partner A is not yet loaded (e.g. respecting the warnings) theres still a chance to get
back on track similar to solution in chapter 7.3.6.1 Dual Configuration deleted too early
(Accident 1)
-
Undo Mod2
CG Partner B
Reload Partner B Link on E3
CG Partner A (in order to get proper Online functionalities)
Reload Partner A
Then execute Mod2 again and start the full sequence (golden rule)
Page 44/67
SILworX
HIMA Training
Accident 3: Yet another SE modification and Reload Partner B (deadlock):

Editor
Partner A
Partner B
Action
SIG N
SIG N+1 Action
SIG N
SIG N+1
E2
E2
E2
E2
SE Mod1
CG
E2
E3gen
E2
E2
Reload
E2
E3load
E2
E2
CG
Reload
SE Mod2
E2
E3
CG
E2
E4gen
E2
E3
Reload
E2
E4load
Reaction
Link on E2
Link on E2
Link on E2
Link on E2
Link on E2
Tabelle 7.3
Problem:
Partner B creates yet another signature E4.
Both partners are now indicating the Reload status updated and actually waiting for each
other.
Up to now nothing serious has happened yet, therefore the Code Generator and the System
(Firmware) will not announce any warnings!
You can never get rid of this situation without a short interruption of the link, means whatever
you do; the next Reload will shut down the link.
This interruption can take up to two times the Receive Timeout value!
See also the basic lesson chapter 7.1.3
Result is a deadlock! Theres no proper way out!
The only remaining solution: Force (if allowed, respecting the safety rules!) all transmitted
variables and execute nevertheless CG and Reload of Partner A (in our example!)
The link will jump (with interruption) from E2 to E4.
Or wait
For more details and screenshots see chapter 7.3.6.2
SILworX
Page 45/67
HIMA Training
Accident 4: Undo SE modification in wrong sequence:

Editor
Partner A
Partner B
Action
SIG N
SIG N+1 Action
E2
E2
SE Mod1
CG
E2
E3gen
Reload
E2
E3load
E2
E3
CG
E2
E3
Reload
SE Mod2
E2
E3
CG
E2
E3
Reload
Undo
SE Mod2
-
Reaction
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E2
E2
E3gen
E3load
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3
E3
E3
E4gen
E4load
Link on E3
Link on E3
CG *
E3gen
E3
E3
E4
Link on E3
Reload
E3load
E3
E3
E4
Link on E3
Tabelle 7.4
CG * : Dual Configuration deleted because new signature is identical to the old signature
Right now (V6.48) no further warnings yet, but in next version!
Up to now nothing serious has happened yet, but its difficult to do the next step correctly.
Option 1 for next step (bad option):
If now updating Partner B we get a short link interruption:
Editor
-
Partner A
Action
-
SIG N
E3
E3
E3
SIG N+1
E3
E3
E3
Partner B
Action
CG
Reload*
-
Reaction
SIG N
E4
E4
E4
SIG N+1
E3gen
E3load
E3
Link on E3
Link down
Link E3 back
Tabelle 7.5
Reload* : During Reload the firmware announces a warning. Hence the accident is
avoidable!
Fig 7.23
Abort Reload!
Option 2 for next step (good option):
Bring Partner A to the same new version (E4) as Partner B (undo undo)
Editor
Back to
SE Mod2
Partner A
Action
SIG N
CG
E3
SIG N+1
E4gen
Partner B
Action
-
SIG N
E3
SIG N+1
E4
Link on E3
Reload
E4load
E3
E4
Link on E4
E3
Reaction
Table 7.10
Page 46/67
SILworX
HIMA Training
Accident 5: Code Generation or Reload denied by Partner B (deadlock):

Editor
SE Mod.
-
Partner A
Action
CG
Reload
-
SIG N
E2
E2
E2
E2
SIG N+1
E2
E3gen
E3load
E3
E2
E3
Partner B
Action
CG*
Reload**
Reaction
SIG N
E2
E2
E2
E2
E2
SIG N+1
E2
E2
E2
E3gen*
E2
Link on E2
Link on E2
Link on E2
Link on E2
Link on E2
Table 7.11
CG* Planned action, but Code Generation denied due to existing errors
Reload** Planned action, but Reload denied
Problem:
Partner A is already loaded, but Partner B cannot be loaded due to Code Generator
problems or Reload problems.
The Reload sequence cannot be completed.
Solutions:
If possible make sure the CG for Partner B works again (e.g. fix the errors)
If possible make sure the Reload for Partner B works again.
Thats not yet a real problem as long the fixing the problem only affects Partner B.
But its getting a real Problem if fixing the problem would require another CG and Reload of
Partner A
See next page
SILworX
Page 47/67
HIMA Training
Example for a deadlock scenario:

The CG for Partner B was denied because Partner A accidently transmits the same variable
twice via two different links. Thats no problem for Partner A, but CG for Partner B is not
possible because there the variable is written twice.
Theoretically two options exist:

1.
Undo the last safeethernet modification manually

(in example: remove the variable from the second link).
The CG of Partner A generates the old signature E2 again.
2.
Use a project backup and go back to the original version before the last modification.
(therefore export the current configuration and import it into the backup project)
The CG of Partner A generates the old signature E2 again.
But: If SIG N+1 has already been on E3 (but never activated) stepping back to E2 causes
always a short interruption of the link. See chapter 7.1.3
Editor
Undo
SE Mod
-
Partner A
Action
SIG N
E2
CG*
E3gen E2ld
Reload* E3load
E3
SIG N+1
E3
Partner B
Action
SIG N
E2
Reaction
SIG N+1
E2
E2gen
E2
E2
Link on E2
E2load
E2
E2
E2
E2
E2
Link interrupted
Link back on E2
Table 7.12
You can never get rid of this situation without a short interruption of the link, means whatever
you do; the next Reload of Partner A will shut down the link.
This interruption can take up to two times the Receive Timeout value!
CG and Reload of Partner A without any safeethernet modification is also not possible
anymore!
Firstly this does not solve the problem of Partner B and secondly then the link is really down
because the Dual Configuration in Partner A (including E2) will be removed
Result is a deadlock! Theres no proper way out!
The only remaining solution: Force (if allowed, respecting the safety rules!) all transmitted
variables and execute nevertheless CG and Reload of Partner A (in our example!) and
accept the link interruption.
Or wait
Page 48/67
SILworX
HIMA Training
The warning from CG* does not yet recognize the real, dangerous, issue:
Fig 7.24
During Reload* the firmware announces a warning:
Fig 7.25
Abort Reload if you cant afford a short link interruption.

Resume Reload only if you know the consequences
SILworX
Page 49/67
HIMA Training
7.3.6
Accident scenarios (details)
7.3.6.1
Dual Configuration deleted too early (Accident 1)
(The correct procedure still appears in light grey the wrong procedure appears in red!)
Code Generation
(Reload option)
Partner A
Safeethernet
Modification
New SE Signature
E3 created
Reload
Partner A
No further
safeethernet
modification **
Code Generation
(Reload option)
Partner B
New SE Signature
E3 created
New SE Signature
E3 loaded
Link active on E2
Reload
Partner B
New SE Signature
E3 loaded
Link active on E3
Code Generation
(Reload option)
Partner A
Dual Configuration
deleted!
Version E2 disappears, version E3 still there
Reload
Partner A
New SE Signature E3 (but not E2) loaded

Link is now down since E2 does not exist
anymore but still needed by the partner!
Fig 7.26
Page 50/67
SILworX
HIMA Training
**
In diagram we only show Accident 1.

Accident 2 occurs if now alternatively another safeethernet modification is carried out.
See chapter 7.3.5
Normally step 4 and 5 should be Reload Partner A and Partner B!

Accident 1:
Here, for some reason, somebody made another Code Generation for partner A.
It doesnt matter whether the new Code Generation contains even new modifications, e.g.
changes in logic, or not.
If no further modifications for safeethernet made, the new Code Generation deletes the Dual
Configuration and consequently the old SE signature E2.
After executing the Reload (Step 6) the link would be down because SE signature E2 is still
required by communication Partner B.
Accident 2:
Accident 2 is only a variant. In accident 2 another safeethernet modification is carried before
loading Partner B. Same consequence: SE signature E2 disappears in Partner A
configuration.
After executing the Reload (Step 6) the link would be down because SE signature E2 is still
required by Partner B.
SILworX
Page 51/67
HIMA Training
Guidelines or how to avoid the mistake:
After phase 5 (second Code Generation of partner A) the Code Generator announces a
warning:
Examples!
Fig 7.27
(Normally the warning is displayed in one line)

If the warning is ignored the firmware is the second defense line:
During phase 6 (second Reload of partner A) the firmware announces a warning:
Fig 7.28
Fig 7.29
Page 52/67
SILworX
HIMA Training
The problem now:

The last generated Code for Partner-A is valid but cannot be used (yet) since therein the
needed Dual Configuration (Version E2 ) is already deleted.
A generated but not loaded code result in problems with Online Test and/or next Reload!
Solution: Back to the original phase 5!We must execute the Code Generation and Reload of partner B first and then
execute Code Generation and Reload of Partner A (again).
See next pages!
SILworX
Page 53/67
HIMA Training
The only solution: Reverse!
Code Generation
(Reload option)
Partner A
Safeethernet
Modification
New SE Signature
E3 created
Reload
Partner A
No further
safeethernet
modification
Code Generation
(Reload option)
Partner A
Reload
Partner A
Code Generation
(Reload option)
Partner B
New SE Signature
E3 created
New SE Signature
E3 loaded
Link active on E2
Reload
Partner B
New SE Signature
E3 loaded
Link active on E3
Fig 7.30
Page 54/67
SILworX
HIMA Training
Back on track:
Code Generation
(Reload option)
Partner A
Safeethernet
Modification
New SE Signature
E3 created
Reload
Partner A
Code Generation
(Reload option)
Partner B
New SE Signature
E3 created
New SE Signature
E3 loaded
Link active on E2
Reload
Partner B
New SE Signature E3
loaded
Link active on E3
Code Generation
(Reload option)
Partner A
Dual Configuration is already deleted

Version E3 created again
Reload
Partner A
New SE Signature E3 loaded again!

Online Test and Reload possible again!
Fig 7.31
SILworX
Page 55/67
HIMA Training
7.3.6.2
SE Change 1 >Reload Partner A, SE Change 2 >Reload Partner B (Accident 3)
(The correct procedure still appears in light grey the wrong procedure appears in red!)
Safeethernet
Modification
Code Generation
(Reload option)
Partner A
New SE Signature
E3 created
Reload
Partner A
New SE Signature
E3 loaded
Link active on E2
Another
safeethernet
modification
Code Generation
(Reload option)
Partner B
New SE Signature
E3 created
Reload
Partner B
New SE Signature
E3 loaded
Link active on E3
Code Generation
(Reload option)
Partner B
Another new SE Signature E4 created

Version E2 is still existing
Reload
Partner B
New SE Signature E4 and old SE Signature E2

loaded
Link remains active on E2
Fig 7.32
RESULT: DEADLOCK!
Page 56/67
SILworX
HIMA Training
The link is still active on E2, here displayed as Signature N.
Fig 7.33
Please note:
Therere no further warnings from the Code Generator or from firmware!
Both partners are now on status updated.
This is actually not foreseen and results in a crucial situation:
You cannot simply Reload partner A now!
This would most likely lead to a short communication interruption!
If you try anyway the system (firmware) announces a warning:
Fig 7.34
Abort Reload - or do not even execute the Reload if you cannot afford a temporally
link shutdown!
Do only Resume Reload if a temporally link shutdown can be accepted but
consider the consequences for the process!
SILworX
Page 57/67
HIMA Training
7.4
Change safeethernet parameters
Change of timing parameters does not create a Dual Configuration (see chapter 7.1.4)
Change e.g. Receive Timeout and Response Time:
Fig 7.35
During Reload the following message appears:
Fig 7.36
If the values are calculated correctly: Resume Reload

Changing timing parameters requires only Reload of Timing Master.
The Timing Slave automatically accepts the Timing Master values.
See chapter 5.2.2
Page 58/67
SILworX
HIMA Training
7.5
Special case: Communication partner is not in the same project
Problem:
The Code Generator cannot check the partners loaded configuration, because it is not in the
same project.
Warning after Code Generation:
Fig 7.37
Consequence:
The guideline Code Generator does not exist anymore!
The only remaining safeguards are the firmware warnings (consider: they cant detect
everything).
Your options:
1. Trust yourself and the firmware and/or
2. Create a project archive and then load the Resource in a Test-PES and read the
generated safeethernet signatures.
Compare and analyze the signatures:
Test-PES:
Partner:
Result: OK!
Table 7.13
3. Or create a new link for newly generated communication variables and keep the
original link untouched ( risk reduction!) See chapter 7.2
SILworX
Page 59/67
HIMA Training
7.6
Information in Version comparison
Example 1: New Variable added to existing link
Fig 7.38
Code Generation Version Comparison
Fig 7.39
Fig 7.40
Page 60/67
SILworX
HIMA Training
cpcsip.config:
Fig 7.41
Partner
System-ID
Link-ID
here = 0
SE signature
Hint: The link ID we see in safeethernet editor:
Fig 7.42
Link-ID
Current Online situation (before Reload):
Fig 7.43
Version DL in version comparison is identical to Signature N+1 (loaded in PES)

The old Signature N is not considered in the version comparison any more.
SILworX
Page 61/67
HIMA Training
ke.config:
Fig 7.44
Fig 7.45
After Reload:
Fig 7.46
Version DL from version comparison is now Signature N

Version CG from version comparison is now Signature N+1
Page 62/67
SILworX
HIMA Training
7.7
Check SE Signature in a project backup
Open SILworX a second time and restore the project in which you assume the expected SE
Signature.
Export the last loaded configuration via the tool Version comparison
Fig 7.47
Import the configuration in your actual project:
Fig 7.48
In this example the imported version is identical to Last Load.

Means the previously restored project matches the last loaded version and can be used for
Reoad etc. again!
Fig 7.49
SILworX
Page 63/67
HIMA Training
8
Appendix
8.1
Safeethernet principle (simplified)
1. Example, well working communication

Telegrams are send on the end of a CPU cycle. Any reaction, also the processing of data,
happens on the beginning of a CPU cycle. The understanding of this principle is important for
calculating Receive Timeout and Resend Timeout
Advantage of double shot principle: Processing newest data without waiting for
acknowledge. Makes a communication more efficient especially if the data transmission time
or the cycle time of target system is pretty long.
Cycle PES10
Cycle PES20
Telegram 1 (T1)
CPU cycle
Telegram 2 (T2)
PES20:
Processing data of T2
Acknowledge T1 and T2
T3
T4
PES20:
Acknowledge T3 and T4
Fig 8.1
Page 64/67
SILworX
HIMA Training
2. Example with a loss of telegram:

Profile Fast & Noisy tolerates the loss of one or more telegrams (depending relation
Receive TMO / Resend TMO). Resend after Resend Timeout.
Safety reaction after Receive Timeout expired.
Cycle PES10
Cycle PES20
T1
PES10:
Resend Timeout for
T2 started
T2 lost
PES20:
Start Receive Timeout
Acknowledge T1
PES10:
Resend Timeout for
T2 expired
Resend T2
PES20:
Acknowledge T2
T3
T4
PES20:
If Resend would not be
have been successful
Receive Timeout expired.
Set imported variables to
initial values
Fig 8.2
SILworX
Page 65/67
HIMA Training
3. Example demonstrates worst case situation regarding cycle time

Here the maximum calculated factor (5 x max. cycle time) is required.
Cycle PES10
Cycle PES20
T1
PES20:
Start Receive Timeout
T2 lost
PES10:
Resend Timeout for
T2 started
Acknowledge T1
PES10:
Resend Timeout for
T2 expired
Resend T2, lost again
PES20:
Processing data of T2 if
Resend successful
PES20:
Resend not successful
Receive Timeout expired.
Set imported variables to
initial values
Fig 8.3
Page 66/67
SILworX
HIMA Training
9
Changes
Rev.:
02
Date/Name
05.08.09/Kull
03
10.08.2009/Kull Adjusted to SILworX V3
04
14.06.2012/ML Adjusted to SILworX V4
Text
Document new created.
05
04.07.2012/ML Position of the variable definition changed.

Second Example in the appendix modified.
06-09
Draft versions
10
30.01.2014/Kull V6 features, safeethernet Reload
11
05.02.2014/ML Little updates
12
08.05.2014/ML Little addition in change from <V6 to V6, company name updated
13.06.2014/Kull New experience, new knowledge added in chapter 7 (Reload)
SILworX
Page 67/67

02-Safeethernet 12 e F

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02-Safeethernet 12 e F

Uploaded by

Copyright:

Available Formats

HIMA Training

Principle, initial situation as example ............................................ 3

Interface settings (Hardware editor) .............................................. 4

Safeethernet Variables ................................................................... 6

Communication settings (safeethernet editor) ............................. 7

Set link properties ................................................................................................. 9

Assign variables to communication .................................................................. 12

Safeethernet diagnostic block (in logic) (System Variables) ........................... 14

Add/delete (new) link including communication signals.................................. 30

Change safeethernet parameters ....................................................................... 58

Multiple links (new with V6) ........................................................................................... 8

Safeethernet Reload ..................................................................... 21

Create links, assign interfaces ............................................................................. 7

Create Safeethernet variables .............................................................................. 6

Safeethernet principle (simplified) ..................................................................... 64

This document was created with SILworX Version 6.48.

Minimal needed OS version

Table 1.1: Needed operating system

Principle, initial situation as example

Interface settings (Hardware editor)

Recommendation for IP addresses:

Use the System ID as Host address for easy orientation

Fig 3.1: Hardware overview

Set IP address of CPUs:

Fig 3.2: Interface setting for CPU in slot 3

Fig 3.3: Interface settings for CPU in slot 4

Set IP addresses of PES20 accordingly:

Safeethernet variables must be created on a common level. In our case it is the

Fig 4.1: Variable defenition

Communication settings (safeethernet editor)

Edit safeethernet in the Resource.

Create links, assign interfaces

Fig 5.1: Create a safeethernet link

Enter a name for the link:

Fig 5.2: naming a link

Fig 5.3: Interface overview

Check the IP addresses and set properly if required.

Fig 5.4: Eventual disconnection of the second line of a link

If no redundancy existing set None for the second channel.

Multiple links (new with V6)

Fig 5.5: Creating a second link to the same communication partner

Fig 5.6: Link list

Set link properties

Basic link properties

Fig 5.7: Linkparameters

Recommendations for the most important settings:

Profile: Fast&Noisy (switched network, 100/1000Mbit), matches 98% of cases!

Receive Timeout (Rcv TMO) 4 x Delay + 5 x max. cycle time

Response Time (Rsp t) Receive Timeout/2

Behavior on Connection Loss

Fig 5.8: Behavior on connection lost

Fig 5.9: Codegeneration parameter

Fig 5.10: Codegeneration parameter

Do not change unless both communication partners are updated to a firmware

Advanced link properties (since SILworX V6)

Safeethernet link ID safeethernet address

Fig 5.11: Link ID

The link ID is generated automatically but can be modified also.

Fig 5.12: Multible link list

Fig 5.13: Timing master

Assign variables to communication

Edit safeethernet in one of the communication partners.

Fig 5.16: Assignment of the communication variables

Check (or set) fragment definitions (optional)